diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 03521f5d..cc79b990 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -523,10 +523,12 @@ __PACKAGE__->register_method ({
 
 	my $user = $rpcenv->get_user();
 
-	my $ticket = PVE::AccessControl::assemble_ticket($user);
-
 	my $node = $param->{node};
 
+	my $authpath = "/nodes/$node";
+
+	my $ticket = PVE::AccessControl::assemble_vnc_ticket($user, $authpath);
+
 	$sslcert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192)
 	    if !$sslcert;
 
@@ -547,10 +549,8 @@ __PACKAGE__->register_method ({
 
 	my $timeout = 10; 
 
-	# fixme: do we want to require special auth permissions?
-	# example "-perm Shell"
 	my @cmd = ('/usr/bin/vncterm', '-rfbport', $port,
-		   '-timeout', $timeout, '-authpath', "/nodes/$node", 
+		   '-timeout', $timeout, '-authpath', $authpath, 
 		   '-perm', 'Sys.Console', '-c', @$remcmd, @$shcmd);
 
 	my $realcmd = sub {
diff --git a/PVE/API2/OpenVZ.pm b/PVE/API2/OpenVZ.pm
index 7fc4edb2..cde2ad26 100644
--- a/PVE/API2/OpenVZ.pm
+++ b/PVE/API2/OpenVZ.pm
@@ -741,11 +741,14 @@ __PACKAGE__->register_method ({
 	my $rpcenv = PVE::RPCEnvironment::get();
 
 	my $user = $rpcenv->get_user();
-	my $ticket = PVE::AccessControl::assemble_ticket($user);
 
 	my $vmid = $param->{vmid};
 	my $node = $param->{node};
 
+	my $authpath = "/vms/$vmid";
+
+	my $ticket = PVE::AccessControl::assemble_vnc_ticket($user, $authpath);
+
 	$sslcert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192)
 	    if !$sslcert;
 
@@ -772,7 +775,7 @@ __PACKAGE__->register_method ({
 	    my $timeout = 10; 
 
 	    my $cmd = ['/usr/bin/vncterm', '-rfbport', $port,
-		       '-timeout', $timeout, '-authpath', "/vms/$vmid", 
+		       '-timeout', $timeout, '-authpath', $authpath, 
 		       '-perm', 'VM.Console', '-c', @$remcmd, @$shcmd];
 
 	    run_command($cmd);